winrm-pentesting
Best for Penetration testers assessi…Works with GitHubHigh risk
⌘source
- author
@wgpsec- language
- Python
★1.2kstars
199forks
Apr 22, 2026
✦overview.md
Key Features
- ·Tests WinRM service authentication (passwords, hashes, Kerberos tickets, certificates)
- ·Executes remote commands via PowerShell Remoting and Evil-WinRM
- ·Supports file upload/download and .NET assembly loading
- ·Facilitates lateral movement within Windows environments
- ·Includes detection for known vulnerabilities like CVE-2021-38647
Use Cases
- →Testing WinRM service authentication on discovered open ports 5985 or 5986
- →Executing remote commands on a Windows host after successful credential validation
- →Performing lateral movement from a compromised host to other systems in the network
Best for
- ✓Penetration testers assessing Windows network services
- ✓Red team operators conducting internal network exploitation
- ✓Security researchers validating WinRM security configurations
Not ideal for
- !General system administration tasks
- !Non-Windows environments
- !Legal compliance auditing without proper authorization
FAQs
name
winrm-pentesting
description
WinRM 服务(5985/5986 端口)渗透测试方法论。涵盖 WinRM 服务发现、凭据测试(密码/哈希/Kerberos票据)、远程命令执行、Evil-WinRM 使用、横向移动。
当 Agent 扫描发现 5985 或 5986 端口开放、需要测试 WinRM 认证、执行远程命令、或进行 Windows 横向移动时,触发此 Skill。
metadata:{"tags":["winrm","5985端口","5986端口","evil-winrm","powershell远程","windows"],"category":"exploit/network-service"}
WinRM 渗透测试方法论 (5985/5986)
相关 skill: 凭据喷洒 ->
cred-spray; AD 域攻击 ->ad-domain-attack; NTLM 中继 ->ntlm-relay-attack; 横向移动 ->lateral-movement; RDP ->rdp-pentesting
深入参考
- WinRM 认证方式、Evil-WinRM 高级用法、COM 对象利用、漏洞详情 -> 读 references/winrm-techniques.md
整体决策树
发现 5985/5986 端口开放
├─ Phase 1: 服务发现
│ ├─ 确认 WinRM 可用: Test-WSMan / curl 探测
│ ├─ HTTP (5985) vs HTTPS (5986) -> 影响攻击面
│ └─ 版本与协议信息
├─ Phase 2: 凭据测试
│ ├─ 密码 -> crackmapexec / Evil-WinRM
│ ├─ NTLM 哈希 -> Pass-the-Hash (Evil-WinRM -H)
│ ├─ Kerberos 票据 -> Evil-WinRM -k
│ └─ 证书 -> Evil-WinRM --cert-pem / --key-pem
├─ Phase 3: 远程执行
│ ├─ PowerShell Remoting (Invoke-Command / Enter-PSSession)
│ ├─ Evil-WinRM 交互 shell
│ └─ WSMan.Automation COM 对象 (绕过 CLM)
├─ Phase 4: Evil-WinRM 高级功能
│ ├─ 文件上传/下载
│ ├─ 加载 .NET 程序集 (Invoke-Binary)
│ ├─ 加载 PowerShell 脚本 (-s 参数)
│ └─ Kerberos / 证书认证
├─ Phase 5: 横向移动
│ ├─ NTLM Relay -> WinRM (ntlmrelayx.py -t wsman://)
│ ├─ 从已控主机 PS-Remoting 到其他主机
│ └─ WSMan COM 横向移动 (绕过 CLM)
└─ Phase 6: 已知漏洞
├─ OMIGOD CVE-2021-38647 (Azure OMI unauthenticated RCE)
├─ NTLM Relay to WS-MAN (Impacket 0.11+)
$install
1-click copynpx skills add wgpsec/AboutSecurity --skill winrm-pentestingSafety assessment
★
Clarity score
How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
5/ 5
excellentVery clear and well structured, with almost no room for misunderstanding.
◎
Actionability score
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
5/ 5
very highHighly actionable with clear, concrete steps that an agent can follow directly.